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ABSTRACT 

Digital control systems for applications such as aircraft avionics and multibody 
systems must maintain adequate control integrity in adverse as well as nominal operating 
conditions. For example, control systems for advanced aircraft, and especially those with 
relaxed static stability, will be critical to flight and will, therefore, have very high reliability 
specifications which must be met regardless of operating conditions. In addition, 
multibody systems such as robotic manipulators performing critical functions must have 
control systems capable of robust performance in any operating environment in order to 
complete the assigned task reliably. Severe operating conditions for electronic control 
systems can result from electromagnetic disturbances caused by lightning, high energy 
radio frequency (HERF) transmitters, and nuclear electromagnetic pulses (NEMP). For 
this reason, techniques must be developed to evaluate the integrity of the control system in 
adverse operating environments. The most difficult and illusive perturbations to computer- 
based control systems that can be caused by an electromagnetic environment (EME) are 
functional error modes that involve no component damage. These error modes are 
collectively known as "upset", can occur simultaneously in all of the channels of a 
redundant control system, and are software dependent. Upset studies performed to date 
have not addressed the assessment of fault tolerant systems and do not involve the 
evaluation of a control system operating in a closed-loop with the plant This paper 
presents a methodology for performing a real-time simulation of the closed-loop dynamics 
of a fault tolerant control system with a simulated plant operating in an electromagnetically 
harsh environment. In particular, the paper discusses considerations for performing upset 
tests on the controller. Some of these considerations are the generation and coupling of 
analog signals representative of electromagnetic disturbances to a control system under test, 
analog data acquisition, and digital data acquisition from fault tolerant systems. In 
addition, the paper presents a case study of an upset test methodology for a fault tolerant 
electronic aircraft engine control system. 

I. Introduction 

Advanced aircraft designs reduce aerodynamic drag via relaxed static stability and, 
therefore, control systems that are critical to the flight of the aircraft are required to maintain 
stability. In addition, fuel efficiency is greatly improved in advanced designs by using 
light-weight nonmetallic (composite) aircraft structures, rather than the metal ones currently 
in use. T^e trend in avionics technology is the implementation of control laws on digital 
computers that are interfaced to the sensors and control surfaces of the aircraft. Since 
digital computers are highly susceptible to transient electrical signals, the use of digital 
controls compounds the problem already incurred through the use of composite structures 
which do not provide the electrical shielding inherent in metal. As the function of the 
control system becomes more flight critical and the use of composite materials becomes 
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more widespread, the problem of verifying the integrity of the control in adverse, as well as 
nominal, operating environments becomes a key issue in the development of a control 
system. The use of digital computers to implement control laws is also evident in other 
areas of application. For example, in multibody systems such as robotic manipulators, 
control laws are implemented on digital computers. Performance considerations of these 
systems when operating in electromagnetically harsh environments are also of concern. 
Performance evaluation techniques presented in this paper are applicable to the assessment 
of any digital control system, regardless of the specific application. For simplicity, this 
paper will concentrate on techniques for evaluating the performance of avionic control 
systems in adverse operating environments. 

One particularly harsh operating environment results from the presence of 
electromagnetic fields caused by sources such as lightning, high energy radio frequency 
(HERF) transmitters, and nuclear electromagnetic pulses (NEMP). As shown in Fig. 1, 
sources such as lightning, HERF, and NEMP generate electromagnetic fields outside of the 
aircraft which are dependent on the aircraft’s geometry and structural materi al. These 
exterior electromagnetic fields penetrate the aircraft by leaking through Joints, seams, and 
apertures so that interior electromagnetic fields are present. The interior Reids cause analog 
electrical transients to be induced on the aircraft’s wiring, and these signals can propagate 
to the onboard electronic equipment despite shielding and protective devices such as filters 
and surge suppressors. There are two types of effects to digital computer systems that can 
be caused by transient electrical signals. The first is actual component damage that requ ires 
repair or replacement of the equipment. The second type of effect to a digital system is 
characterized by functional error modes collectively known as "upset" which involve no 
component damage. In the case of upset, normal operation can restored to the system 
by corrective action such as resetting/reloading the software or by an internal recovery 
mechanism, such as an automatic rollback to a system state just prior to the disturbance. 

The subject of effective internal upset recovery mechanisms is another current topic for 
research. See reference [1] for a more detailed account of the electromagnetic threat to 
advanced digital avionics systems. " "" _ . \ v__ ;d _.. 

To date, there are no comprehensive guidelines or criteria for performing tests or 
analyses on digital control systems to evaluate upset susceptibility or verify control integrity 
in electromagnetically adverse operating environments. Therefore, the objective of this 
research is to develop a methodology whereby a digital computer-based control system can 
be evaluated for upset susceptibility as well as control integrity when subjected to analog 
transient electrical signals like those that would be induced by an electromagnetic source. 

In particular, the electromagnetic source under consideration in this research is lightning. 
This paper discusses various issues in the design and implementation of upset tests which 
can be performed in the laboratory on a candidate fault tolerant control system during a real- 
time simulation of the closed-loop dynamics of the controller and plant operating in an 
adverse electromagnetic environment A case study is described involving the upset test 
design of a full-authority electronic engine controller (EEC). 

n. Upset Test Design for Fault Tolerant Control Systems 

Most upset studies conducted to date have involved general-purpose systems 
executing a generic application code during testing [2] - [6]. One upset study involved the 
evaluation of an Inertial Navigation System that was subjected to transient signals like those 
that could result from NEMP [7]. Since none of these studies involved a control system 
that has closed-loop dynamics with a plant, it is desirable that an upset methodology be 
formulated for such a system. The general laboratory test configuration for the upset 
evaluation of a control system is shown in Fig. 2. As shown in the figure, the test 
configuration involves two control units - the unit under test and an unperturbed reference 
unit. The controller under test is perturbed by transient signals like those that could be 
induced by lightning. Each controller is interfaced to a simulation (hardware or software) 
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of the plant in such a manner as to represent the closed-loop dynamics of the system. The 
operation of the two plant simulations are compared during tests so that cases in which 
acceptable control is not maintained by the faulted controller can be flagged in real time. 
Data obtained from the controllers during tests are stored for post processing and analysis. 
An alternative to having a faulted and reference controller is to have one controller which 
would be run with the plant simulation without faults for a period of time in a so-called 
"gold run". Unfaulted data would be recorded from the controller as well as the nominal 
operating parameters of the plant Then, the plant parameter data obtained during faulted 
runs would be compared after testing to the nominal data and a determination made 
regarding the control integrity of the faulted controller. Since use of the two controllers 
would save a step in data processing, it is advantageous to use this configuration if two 
prototype controllers are available. 

A. Generation of Analog Transients in the Laboratory 

The waveform, shown in Fig. 3, that is most representative of those that occur on 
internal aircraft wiring due to lightning is a 1 - 50 MHz damped sinusoid which decreases 
in amplitude 50 - 75 % after four cycles [8]. This waveform can be generated by a 
capacitor discharge circuit with light damping [9]. However, use of a simple RLC circuit is 
awkward because components must be changed in order to generate key frequencies in the 
1-50 MHz range. Three pulse generators have been designed to fulfill the electromagnetic 
test requirements of the Royal Aerospace Establishment [10]. One pulse generator 
produces damped sinusoidal waveforms from 2-30 MHz, one is a fixed-frequency 100 
kHz generator, and the third produces two waveforms for ground voltage lightning effects 
simulation. 

The most versatile way to generate the transient signal, and the technique presented 
here, is a polynomial waveform synthesizer which generates the waveform that 
corresponds to the entered equation. The output of the waveform generator can then be 
scaled to the proper amplitude via a wideband power amplifier. In this way, transient 
signals can be easily generated that cover a frequency range of interest and represent the 
induced effects of any electromagnetic source. 

B. Coupling Analog Transients to the Controller Under Test 

The mechanism for coupling analog signals into the digital controller must be such 
that the controller is not loaded down by mismatched impedance. In addidon, the coupling 
mechanism must be representative of that which would occur in the natural operating 
environment, depicted in Fig. 1. The two most widely used coupling techniques are 
resistive and inductive coupling. An advantage to resistive coupling is that no special 
equipment is needed. In addition, it is very easy to inject transient signals into integrated 
circuit pins as well as printed circuit board test points. The coupling method which best 
satisfies the above criteria is to induce voltage into a cable or cable bundle using a ferrite 
coupling transformer that can be clamped around the cable. Details of performing such 
tests are given in [ 1 1 ] and [12]. 

Another consideration is whether the transient signal injection should be 
synchronized with the operation of the controller or whether the transient should be injected 
asynchronously. If the transient is injected synchronously, it must be introduced into the 
controller during each operational state of the processor. Since the number of states in a 
digital control system is very large, the required amount of testing for this approach is 
impractical. For this reason, asynchronous injection of a statistically significant number of 
transient signals is more advantageous. In addition, asynchronously injected transients can 
occur during the transition between states and, therefore, more realistically represent the 
threat that could occur in a natural environment. 
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C. Controller Monitoring Strategies 

In single channel systems, upset modes can be fairly easily detected using comparison 
monitoring techniques on a test unit and reference unit executing identical software and 
operating in bit synchronism. Any time the data bus, address bus, or control lines of the 
test unit differ from those of the reference unit, data can be recorded and analyzed. In this 
way, data is only recorded for transient injections from which errors have occurred. (It 
was established in [2] and [3] that the occurrence and type of upset depends on the relative 
timing of the transient signal injection and the state of the processor. For this reason, upset 
does not occur each time the transient signal enters the system.) An advantage to this 
technique is that, since error-free data is not recorded, the amount of required data 
reduction is reduced. 

Conversely, upset detection in fault tolerant systems is much more complex. Fault 
tolerant controllers usually employ one of two basic redundancy strategies - voting or 
primary/secondary channels. Comparison monitoring techniques cannot be used in upset 
testing of fault tolerant systems since reconfigurations in t he te s t unit would cause 
miscomparisons to be generated without faulty operation being present. For these types of 
systems, upset detection criteria must be carefully selected since they effectively define 
upset for the test unit. 

D. Data Acquisition 

It is recommended that both analog and digital data be recorded during upset tests. 
The analog data to be recorded are the waveforms induced in the digital controller. In this 
way, various threshold characteristics of transient signals that cause upset can be 
determined. Norms such as peak absolute amplitude, maximum absolute rate of rise, peak 
absolute impulse, rectified impulse, and root action integral have been suggested in the 
literature for measuring NEMP stress waveform attributes [13]. These norms were used in 
an NEMP upset study and found to be inadequate [7]. Therefore, appropriate frequency- 
dependent norms for characterizing upset stress attributes of electromagnetically induced 
transient signals from sources such as lightning, HERF, and NEMP remains a topic for 
further research. 

Digital data to be acquired from the controller should include the calculated control 
commands obtained from the data bus, the internal status word of the processor, as well as 
the address bus and appropriate processor control lines. Range checks can be used to 
determine if the calculated control commands are appropriate for the control regime in 
progress. Commands that would be acceptable in one control mode could be devastating in 
another, so calculated command data can only be evaluated in the context of the application. 
The internal status word of the processor should be monitored for the results of self tests, 
parity checks, and other fault tolerance strategies that might be present in the digital 
controller under test. Monitoring the results of the processor's own self-health evaluation 
can signal the beginning of a functional error mode or upset. Upset modes that occur 
without indication from self-health checks may suggest self tests that could be effective 
against upset in future processor designs. Monitoring address bus activity establishes 
cases in which the processor accesses invalid or nonexistent memory space. When this 
happens, the processor executes whatever data word it finds there as a valid instruction and 
often never returns to the correct memory space or correct operation until the system is 
reinitialized. Monitoring the control lines of the processor establishes the operational mode 
of the processor and, therefore, enables the experimenter to determine if invalid memory 
space data has been decoded as an instruction. Exact details of the digital data acquisition 
are dependent on the controller under test. 

In redundant systems with voting, the digital data described above must be obtained 
from all processors as well as the voter, and reconfiguration data must also be obtained. In 
redundant systems with primary/secondary channels, the digital data described above as 
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well as the flags and signals related to which channel is in primary control and which is 
commanding the various control loops must be recorded. Digital data recorded from 
multiprocessor systems should be time-stamped so that concurrent activities of processors 
in the system can be correlated for post processing. 

HI. Case Study: Upset Test Set-up for a Fault Tolerant Engine Controller 

The upset test methodology for digital controllers described in Section II is planned 
to be applied to an electronic engine control (EEC) unit. The EEC is a commercial 
controller manufactured by the Hamilton Standard Division of United Technologies, which 
provides electronic controls for Pratt & Whitney engines. The EEC is a full-authority 
engine controller and is a dual-channel system which operates with a primary/secondary 
channel strategy. A block diagram of the EEC is shown in Fig. 4. As shown in the 
diagram, the EEC receives signals from the airframe, actuator position sensors, and engine 
parameter sensors. The inputs to each channel are also available to the other channel so that 
the best inputs can be selected by both channels. The control commands are calculated with 
the selected inputs and one output is selected to be sent to the actuators. In addition to its 
control function, the EEC performs a comprehensive self-health evaluation during 
background activity. 

The EEC to be used in the test set-up is a modified version of the commercial unit 
Modifications to the EEC include access to the data bus, address bus, and control lines of 
the microprocessors of each channel to enable measurements in the laboratory. In addition, 
nominal flight parameter values for eight different flight conditions are stored in Read Only 
Memory (ROM) as well as the nominal values for all but three of the engine parameters. 

The eight flight conditions to be used during tests are take-off, cruise, acceleration, 
deceleration, reverse, idle, partial power, and climb. The variable inputs to the EEC are 
Throttle Resolver Angle (TRA), Inlet Air Temperature (T2), and Engine Speed (Nl). 

These inputs can be varied for the eight flight cases during testing, and will be initially 
generated as shown in Fig. 5. The TRA input will be generated using a resolver, T2 will 
be generated using a resistive potentiometer, and Nl will be generated using a pulse 
generator. Therefore, for initial tests, the EEC will be running open-loop and the calculated 
commands will be stored in memory. In the next testing phase, these three loops will be 
closed so that the dynamics of the controller and plant can be simulated in real time. 
Subsequent plans are to modify the EEC so that additional variable inputs are provided. 

During testing, each processor in both the test unit and reference unit will be 
monitored for activity on the data bus, address bus, and control lines. Upset for the EEC 
will initially be defined as : 

(i) Selected parameter values for Nl, T2, TRA is out of range for 

n cycles; 

(ii) Calculated control commands are out of range for the given 
flight mode for n cycles; 

(iii) Invalid memory space is accessed for n cycles. 

Indiction of the occurrence of any of these activities on the data bus, address bus, and 
control lines of the processors in the test unit will result in the data being recorded for that 
test run. As testing proceeds, the list of activities defining upset for the EEC will be 
expanded as necessary. 

A block diagram of the upset test instrumentation is shown in Fig. 6. The damped 
sinusoidal waveform of Fig. 3 is generated by a polynomial waveform synthesizer and 
amplified by a wideband power amplifier with a maximum output power of 1000 W and a 
frequency range of 10 kHz - 220 MHz. This analog signal is inductively coupled into the 
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EEC and the induced waveform is recorded on a waveform digitizer/analyzer on which 
some analysis, such as FFT and energy/power spectrum, can be performed directly. 

Digital data from the EEC is recorded on a digital analysis system with 240 input lines that 
can capture data from four microprocessors simultaneously with time correlation. Data can 
be displayed on the digital analysis system in timing, state, or graphical format. Analog 
and digital data from the waveform digitizer/recorder and the digital analysis system is then 
transferred via IEEE 488 bus to a personal computer, which is used for some of the 
analysis, display of data, and transmission to a VAX 11/750 for further analysis. 

IV. Future Work 


Upset tests will be performed on the EEC in both an open-loop and a closed-loop 
configuration in order to compare upset characteristics relative to each of these modes. The 
analog signals induced on the EEC will be recorded and appropriate norms will be defined 
which characterize upset stress thresholds. Digital data recorded from the EEC will be 
scrutinized for selected inputs that are out of range, calculated commands which are 
inappropriate for the given flight regime, accesses to invalid memory space, and problems 
which are flagged by self-health tests. 

The objectives of initial testing are to demonstrate the methodology, establish an 
upset data base for a fault tolerant control system, define characteristic induced waveform 
threshold norms for upset stress, and obtain statistical information about upset in a fault 
tolerant controller. Long range goals include the development of on-line upset detection 
and correction strategies, upset tolerant design techniques, an upset assessment tool for 
data analysis, and an upset reliability estimation procedure. 


SUMMARY 


An upset test methodology is being developed for fault tolerant control systems and 
will be applied to the upset test design of an electronic engine controller. The methodology 
involves generating electrical transients like those that would occur naturally in a lightning 
environment, coupling these signals into a controller under test, and collecting both analog 
and digital data from die controller during tests. The primary objective of this methodology 
is to develop assessment techniques for fault tolerant control systems operating in 
electromagnetically harsh environments due to lightning, HERF, and NEMP. The primary 
motivation for the development of assessment techniques is the trend in the aeronautics 
industry towards flight-critical digital control systems onboard advanced composite aircraft. 
However, techniques and considerations presented in this paper are applicable to digital 
control systems for any application. 
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Figure 1: Coupling of Electromagnetic Fields Into Aircraft 



Figure 2: Laboratory Configuration for Control System Upset Testing 
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Figure 3: SAE-AE4L Committee Damped Sinusoidal Voltage/Current Waveform 



Figure 4: Block Diagram of the Electronic Engine Controller (EEC) 
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Figure 5: Simulated EEC Inputs for TRA, N1, T2 
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Figure 6: Upset Test Instrumentation for EEC Assessment 
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